Tunis, Tunisia, 28 April 2014 Cloud Computing Standardization Includes Security Ruan HE, Senior Expert, Orange, Verdana 24 2 nd SG 13 Regional Workshop for Africa on “Future Networks: Cloud Computing, Energy Saving, Security & Virtualization” (Tunis, Tunisia, 28 April 2014)

Tunis, Tunisia, 28 April Outline 1. Starting Cloud Computing Security in FGCC 2. First Standard X Collaboration ITU-T and ISO/IEC 4. Other On-going Works in ITU-T

Tunis, Tunisia, 28 April Starting Cloud Computing Security in FGCC FGCC: Focus Group on Cloud Computing Objective: to collect and document information and concepts that would be helpful for developing ITU-T Recommendations to support cloud computing services/applications from a telecommunication/ICT perspective Period: June 2010 – Dec 2011 Main industrial participants: China Telecom, China Unicom, Cisco, Huawei, KDDI, NTT, Microsoft, Oracle, Orange, ZTE, etc

Tunis, Tunisia, 28 April Starting Cloud Computing Security in FGCC Release of a Technical Report on seven parts: 1. Introduction to the cloud ecosystem: definitions, taxonomies, use cases and high-level requirements 2. Functional requirements and reference architecture 3. Requirements and framework architecture of cloud infrastructure 4. Cloud resource management gap analysis 5. Cloud security 6. Overview of SDOs involved in cloud computing 7. Cloud computing benefits from telecommunication and ICT perspectives

Tunis, Tunisia, 28 April First Standard X.1601 X.1601: Security framework for cloud computing Period: April 2012 – Jan 2014 Objective: high-level security framework to guide future standardization works on the security of cloud computing

Tunis, Tunisia, 28 April First Standard X.1601 Security framework for cloud computing: - Security threats for cloud computing - Security challenges for cloud computing - Cloud computing security capabilities - Framework methodology - Mapping of cloud computing security threats and challenges to security capabilities

Tunis, Tunisia, 28 April Collaboration ITU-T and ISO/IEC ITU-T X.cc-control | ISO/IEC common text: the security controls for cloud computing Title: Information security management – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC Progress: 2 nd CD April 2014, DIS 2015

Tunis, Tunisia, 28 April Collaboration ITU-T and ISO/IEC Cloud computing security controls: - cloud sector-specific concepts - information security policies - organization of information security - human resource security - asset management - access control - cryptography - physical and environment security - operations security - communications security - system acquisition, development and maintenance - supplier relationships - information security incident management - information security aspects of business continuity management - compliance

Tunis, Tunisia, 28 April Other On-going Works in ITU-T X.sfcse: Security requirements for SaaS application environments X.goscc: Requirements of operational security for cloud computing X.idmcc: Requirements of IdM in cloud computing

Tunis, Tunisia, 28 April Thank You !!!

Tunis, Tunisia, 28 April References FGCC Technical Report X.1601: Security framework for cloud computing